Security for Your WordPress Site: Processes, Passwords, & Plugins

One of the most important things to consider when developing a site for a client is client education and training on site security. While it is true, that once we develop a site for someone, information security belongs to them. We could have implemented all the best WordPress security plugins and processes, but if the user has a poor password then it will only be a matter of time before they are exploited.

So, first and foremost information security, site security, belongs to both the developer and the client. As far as the client is concerned, if their site gets hack or there is a problem with the site due to security vulnerabilities, the first person they will blame is the developer. However, if we educate our clients on the importance of information security, while it may be their tendency to blame the developer, it may not be their first recourse. Simply speaking, information security is everyone’s responsibility.

Most of this information was obtained from WordCamp Phoenix Security Presentation by WPVibe.com co-founder Dre Armeda along with CEO and founder of Webdev Studios, Brad Williams.

So what are some security tips around passwords, plugins, and processes?

Don’t store creditials in FTP client. As tempting as it is to have browsers and FTP clients remember your credentials, avoid doing this.

Hosting

Use hosts that talk about security. Free hosting is nice, but the cost of recovering a site may not be worth it.

Purchase a SSL certificate from your hosting company.

WordPress

Update WordPress! Minor WordPress versions (3.0.x, 3.1.x, 3.2.x). WordPress is open source and once they find a vulnerability, it is known. And if your site has not been updated, then all the hackers in the world know how to hack your site. Minor versions don’t necessarily need development testing. Major releases (3.0,3.1,3.2) should be tested in a development/staging environment before implementation.

Update Plugins! Read the changelog and details to determine if new features are introduced. This is where you can check those change details to determine whether the plugin is adding new features, patching issues or known problems, or is a security upgrade.

Change database table prefix. The default is wp_ and everyone knows this. However, if you change it to something unique. The famous five minute install has a place for you to do this upon installation. However, there are also plugins that will help you change this. And if you know phpmyadmin and mySQL, the prefixes can be changed rather easily. See also my pictorial guide: Pictorial Tutorial on WordPress Security: Change the WP_ Prefix

Use Secret Keys with your wp-config.php. To get your secret keys visit the WordPress Secret Keys API. It’s a hashing salt for your cookies on your computer. Newer installations have this in them already; however, older installations may not have it. So if you started with an older WordPress installation and have upgraded, you may want to check to make sure these are in place. Changing these on a live site will only render current cookies invalid and will have no adverse affects on the site.

Lockdown WP Login and WP Admin. Add the following code in wp-config.php to force SSL on login and on all Admin pages. Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping.
On login only
[php]define( ‘FORCE_SSL_LOGIN’ , ‘true’ );[/php]
On admin pages
[php]define( ‘FORCE_SSL_ADMIN’ , ‘true’ );[/php]

Create .htaccess file in your wp-admin to lockdown IP addresses. Add the following lines of code to your .htaccess:
[html]
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 67.123.83.59
allow from 123.123.123.123
[/html]
This example will only allow a user with the IP 67.123.83.59 or 123.123.123.123 to access wp-admin. However, also note that IP addresses do change, and if you are locked you can go into the file edit it to include your new IP address or you can simply delete the file. Also, this file will not be deleted on WordPress upgrades since it does not belong to WordPress core.

Move wp-config.php. WordPress features the ability to move the wp-config.php one directory above your WordPress root. So if your WordPress wp-config.php file is located public_html/wordpress/wp-config.php you can place it to public_html/wp-config.php.

Disable WordPress Generator Tag. Viewing the source on most WordPress sites will reveal the version they are running. This helps hackers find vulnerable installations or older versions. To remove the code, find the following code in your header.php and remove it.
[html]<meta name="generator" content="WordPress <?php bloginfo[‘version’];?>" />[/html]
The wp_head() function also includes the WP version in your header. To remove it, add the following to your functions.php file:
[php]remove_action( ‘wp_head’ , ‘wp_generator’ );[/php]
Themes and plugins may also output their versions, but some may have an option to remove it, such as the Genesis Framework.

Use Trusted Sources for Themes and Plugins. Use WordPress.org. Themes found elsewhere may have some base64() code that can break your site or just add some black hat SEO. Instead of solely relying on Google or your favorite search engine, use these trusted sources:

Don’t use admin for your username. All WordPress installs before WordPress 3.0 had an admin install. Change the admin username in MySQL:UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';. Or:

Create a new account with a unique username

Assign account to Administrator role

Log out and log back in with new account

Delete admin account (WordPress will allow you to reassign all content written by admin to an account of your choice.)

File/Folder Permissions. Good rule of thumb:

files should be set to 644

folders to 755

If your host requires 777, switch hosts.

This can be easily checked/set via Filezilla by right clicking on the file/folder and clicking on File Permissions. Or via SSH:

Customized Plugin

About Travis Smith

As a WordPress enthusiast, developer, and speaker, Travis writes about what he learns in WordPress trying to help other WordPress travelers, beginners and enthusiasts with tutorials, explanations, & demonstrations.

Comments

Very nice article.
I had been ‘lazy’ about implementing SFTP…. until now. Have it set for all of my sites.
A note: the lockdown of WP Admin and Login are done in the wp-config.php file, for those that might not know.